CVE-2016-9836

Name of the Vulnerable Software and Affected Versions Joomla! CMS versions prior to 3.6.5

Description The issue concerns the file scanning mechanism in Joomla! CMS, specifically the JFilterInput::isFileSafe() function, which fails to account for alternative PHP file extensions when checking uploaded files for PHP content. This allows users to upload and execute files with extensions such as .php6, .php7, .phtml, and .phpt. Furthermore, the JHelperMedia::canUpload() function did not properly blacklist these file extensions as uploadable file types.

Recommendations For versions prior to 3.6.5, update to version 3.6.5 or later to resolve the issue.